Live

Watch CBSN Live

White House Web Site Revelation

Without the knowledge of the Bush administration, an outside contractor has been using Internet tracking technologies that may be prohibited to analyze usage and traffic patterns on the White House's Web site, an official said Thursday.

The disclosure – the second such revelation in a matter of days – came in response to questions posed by The Associated Press.

The White House Web site uses what's known as a Web bug to anonymously keep track of who's visiting and when. A Web bug is essentially a tiny graphic image - a dot, really - that's virtually invisible. In this case, the bug is pulled from a server maintained by WebTrends and lets the traffic analytic company know that another person has visited a specific page on the site.

Last week, the National Security Agency halted its cookie use after a privacy activist complained and Wednesday, agency officials acknowledged they had made a mistake.

Until Tuesday, the NSA site was creating two cookie files that do not expire until 2035 — likely beyond the life of any computer in use today.

As for the White House web site, David Almacy, the White House's Internet director, is promising that there will be an investigation into whether the practice is consistent with a 2003 policy from the White House's Office of Management and Budget banning the use of most such technologies at government sites.

"No one even knew it was happening," Almacy said. "We're going to work with the contractor to ensure that it's consistent with the OMB policy."

An official with the contractor for the White House web site, WebTrends Inc., said later in the day that although a cookie may be used, no data from it is actually sent back to the company.

Web bugs themselves are not prohibited, but when they are linked to a cookie so that a site can tell if the same person has visited again - a federal agency using them must demonstrate a "compelling need," get a senior official's signoff and disclose such usage, said Peter Swire, a Clinton administration official who helped draft the original rules.

Cookies are widely used at commercial Web sites and can make Internet browsing more convenient by letting sites remember user preferences. For instance, visitors would not have to repeatedly enter passwords at sites that require them.

But privacy advocates complain that cookies can also track Web surfing, even if no personal information is actually collected.

In a 2003 memo, the White House's Office of Management and Budget prohibits federal agencies from using persistent cookies — those that aren't automatically deleted right away — unless there is a "compelling need."

The White House web site privacy policy does not specifically mention cookies or Web bugs, and Almacy said a signoff from a senior official was never sought because one was not thought to be required. He said his team was first informed of the cookie use by the AP.

Jason Palmer, vice president of product management for Portland, Ore.-based WebTrends, insisted the cookies are not used in such manner.

Cookies from the White House site are not generated simply by visiting it, according to analyses by the AP and by Richard M. Smith, a security consultant in Cambridge, Mass., who first noticed the Web bug this week.

Rather, WebTrends cookies are sometimes created when visiting other WebTrends clients. Smith said his analysis of network traffic shows such preexisting cookies have then been used when visiting the White House site.

But WebTrends officials say they do not aggregate information about visitors across multiple sites.

Palmer said the browsers are designed to pull preexisting cookies automatically, and that the company has no choice in the matter. But he insisted the company doesn't use the information.

In any case, Almacy said, no personal data are collected.

In a statement, WebTrends added that the analysis performed at the White House site is typical among organizations for improving user experience.

The Clinton administration first issued the strict rules on cookies in 2000 after its Office of National Drug Control Policy, through a contractor, had used the technology to track computer users viewing its online anti-drug advertising. The rules were updated in 2003 by the Bush administration.

Although no personal information was collected at the time, Swire said, concerns were raised that one site's data could be linked later with those from the contractor's other clients.

"It all could be linked up after the fact, and that was enough to lead to the federal policy," Swire said.

Nonetheless, agencies occasionally violate the rules inadvertently. The CIA did in 2002, and the National Security Agency did so more recently.

Daniel Brandt, a privacy activist who discovered the NSA cookies, said mistakes happen, "but in any case, it's illegal. The (guideline) doesn't say anything about doing it accidentally."

The Bush administration has come under fire recently over reports it authorized NSA to secretly spy on e-mail and phone calls without court orders.

Since The New York Times disclosed the domestic spying program earlier this month, President Bush has stressed that his executive order allowing the eavesdropping was limited to people with known links to al Qaeda.

But on its Web site Friday, the Times reported that the NSA, with help from American telecommunications companies, obtained broader access to streams of domestic and international communications.

The NSA's cookie use is unrelated, and Weber said it was strictly to improve the surfing experience "and not to collect personal user data."

View CBS News In